Malware By Email

It was an active week for malware, especially as attachments to emails. I received both a trojan downloader by email and a worm by email.

The bad guys are continuing to use "social engineering," to get their malware opened and run. Recent malware has been arriving in some form of compressed file. This week, I saw both ZIP files and RAR files.

They try to get the recipient’s curiosity to overcome his sense of wariness, with filenames such as "Fees-2008_2009.zip" and "movie.rar".

The Fees-2008_2009.zip file contained a worm (a self-replicating program designed to spread the problem to the recipient’s friends and net-neighbors). Here’s what VIPRE showed when it found this malware:

(click on the image for a larger version)

The movie.rar file, which uses the less common RAR compression method, contained a backdoor "Bot" program, designed to give the operator of the bot network (bot = short for robot) remote control of the recipient’s computer. These remotely controlled computers are often used for spamming and attacks on other computers.

The movie.rar file was attached to an email claiming "Great Jugs", so you can imagine that a few of these were opened…

(click on the image for a larger version)

The movie.rar file also is an example of malware using one of the misleading security holes which Microsoft has given us.

By default, recent versions of Windows have hidden the actual filename extensions from us. Unless we change our settings in Windows so that it shows filename extensions, we don’t realize the true name of the file.

In this case, the real filename of the malware is "movie.avi.exe" — which a default version of Windows will show as "movie.avi". Since we know .avi files are video files, we might be tempted not to worry about them. In reality, it is a .exe executable program that would run when we open the file.

You can change your Windows XP settings to display the full filename. Here’s the link to my article Hidden File Extensions in Windows